okta

The Okta MCP Server exposes MCP-compatible tools that let AI agents interact with your Okta tenant. It enables capabilities such as comprehensive access analysis and login risk assessment, allowing AI-driven inquiries like which users have access to a given app, or whether a user’s recent activity indicates a risk. The server is designed for IAM engineers, security teams, and Okta administrators, and leverages bearer-token security to protect data in transit. Once running, you can query the server through MCP clients and receive structured responses that you can incorporate into workflows, reports, or automated remediation steps.

In practice, you’ll use the provided tools to inspect user and group assignments, evaluate MFA and network conditions for access decisions, and generate summaries suitable for audit trails. The “Access Analysis” tool helps you answer questions like “Can user X access app Y?” by evaluating user status, group memberships, policy grants, and MFA requirements. The “Login Risk Assessment” tool analyzes recent login behavior, IP geolocation, device fingerprints, and risk scores to classify activity as low, medium, or high risk. These tools are designed to reduce manual investigation time and improve security posture by surfacing actionable insights from your Okta data.

Prerequisites:

• Node.js (LTS) installed on the host (e.g., Node.js 18.x or newer)
• npm (comes with Node.js)
• Access to your Okta tenant and an API token with appropriate scopes

Step-by-step installation:

1. Clone the repository: git clone https://github.com/fctr-id/fctr-okta-mcp-server.git cd fctr-okta-mcp-server

2. Install dependencies: npm install

3. Configure environment variables:

   • Create a .env file or set them in your environment: OKTA_ORG_URL=https://{yourOktaDomain} OKTA_API_TOKEN={your_api_token} JWKS_URI=https://{your_domain}/.well-known/jwks.json

4. Run the server: node server.js

Optional Docker deployment:

• Build and run the container (if Docker support is provided by the project): docker build -t fctr-okta-mcp-server . docker run -i -e OKTA_ORG_URL=https://{domain}
  -e OKTA_API_TOKEN={token}
  -e JWKS_URI=https://{domain}/.well-known/jwks.json
  fctr-okta-mcp-server

5. Verify the server is running by querying its MCP endpoints with your MCP client.

Notes:

• Ensure your Okta API token has the necessary scopes for users, groups, apps, and events.
• If you enable bearer token validation, configure jwks_uri as appropriate.

Tips and common considerations:

• Security: Use the JWKS URI to validate bearer tokens if you enable token-based auth. Keep API tokens and secret keys secure and rotate them regularly.
• Environment variables: Use a dedicated non-production Okta tenant for testing MCP tools before connecting to production data.
• Tool capabilities: Access Analysis assesses user, group, and policy data to determine app access. Risk Assessment reviews login patterns, IP reputation, and device signals to categorize risk.
• Troubleshooting: If MCP endpoints are not reachable, verify network access to Okta, correct org URL, and that API tokens are valid. Check logs for authentication errors and token validation failures.